No BlackEnergy in New Attacks Hitting Ukrainian Energy Firms

Written by

Security experts are warning headline writers not to jump to conclusions over attribution of the recent BlackEnergy malware attacks against Ukrainian energy companies, after discovering a new wave of attacks featuring different malware.

Eset malware researcher, Robert Lipovsky, explained in a blog post that a new attack campaign targeted at Ukrainian electricity distribution companies was discovered on Tuesday.

But while it bears many of the signs of the now infamous BlackEnergy attacks which crippled power plants in the country just before Christmas, the malware used is different – based on a “freely-available open-source backdoor.”

As before, the threat is email borne and arrives in the form of a malicious .XLS attachment containing HTML content with a link to a .PNG file located on a remote server.

“The malicious macro-enabled XLS file is similar to the ones we’ve seen in previous attack waves. It tries, by social engineering, to trick the recipient into ignoring the built-in Microsoft Office Security Warning, thereby inadvertently executing the macro,” Lipovsky explained.

“Executing the macro leads to the launch of a malicious trojan-downloader that attempts to download and execute the final payload from a remote server.”

The server in question was located in Ukraine and has now been taken offline following a call into CERT-UA and CyS-CERT.

However, instead of BlackEnergy, Lipovsky and his team found the final payload was modified versions of an open-source gcat backdoor written in Python.

“This backdoor is able to download executables and execute shell-commands. Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code,” he said.

“The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network.”

Lipovsky added that although many media outlets have attributed the attacks to the Kremlin, great care should be taken when accusing a specific actor, particularly a nation state.

“The current discovery suggests that the possibility of false flag operations should also be considered,” he concluded.

“[It] does not bring us any closer to uncovering the origins of the attacks in Ukraine. On the contrary, it reminds us to avoid jumping to rash conclusions.”

What’s hot on Infosecurity Magazine?